summaryrefslogtreecommitdiffstats
path: root/src/config
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-05-06 10:09:41 -0400
committerStephen Gallagher <sgallagh@redhat.com>2010-05-27 14:44:14 -0400
commit35480afaefafb77b28d35b29039989ab888aafe9 (patch)
tree60789844987297b64c9dc237bdd4501e4b5df86f /src/config
parent8bb6aa3fd81a3c195b92270ddf189296abae65eb (diff)
downloadsssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.gz
sssd-35480afaefafb77b28d35b29039989ab888aafe9.tar.xz
sssd-35480afaefafb77b28d35b29039989ab888aafe9.zip
Add ldap_access_filter option
This option (applicable to access_provider=ldap) allows the admin to set an additional LDAP search filter that must match in order for a user to be granted access to the system. Common examples for this would be limiting access to users by in a particular group, for example: ldap_access_filter = memberOf=cn=access_group,ou=Groups,dc=example,dc=com
Diffstat (limited to 'src/config')
-rw-r--r--src/config/SSSDConfig.py3
-rwxr-xr-xsrc/config/SSSDConfigTest.py2
-rw-r--r--src/config/etc/sssd.api.d/sssd-ldap.conf3
3 files changed, 7 insertions, 1 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 6b759d83c..7b9d96c9e 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -151,6 +151,9 @@ option_strings = {
# [provider/ldap/auth]
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
+ # [provider/ldap/access]
+ 'ldap_access_filter' : _('LDAP filter to determine access privileges'),
+
# [provider/simple/access]
'simple_allow_users' : _('Comma separated list of allowed users'),
'simple_deny_users' : _('Comma separated list of prohibited users'),
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
index 61c2f9497..04d438e06 100755
--- a/src/config/SSSDConfigTest.py
+++ b/src/config/SSSDConfigTest.py
@@ -687,7 +687,7 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
control_provider_dict = {
'ipa': ['id', 'auth', 'access', 'chpass'],
'local': ['id', 'auth', 'chpass'],
- 'ldap': ['id', 'auth', 'chpass'],
+ 'ldap': ['id', 'auth', 'access', 'chpass'],
'krb5': ['auth', 'chpass'],
'proxy': ['id', 'auth'],
'simple': ['access'],
diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf
index abcb5199d..7f0c36069 100644
--- a/src/config/etc/sssd.api.d/sssd-ldap.conf
+++ b/src/config/etc/sssd.api.d/sssd-ldap.conf
@@ -67,5 +67,8 @@ ldap_force_upper_case_realm = bool, None, false
[provider/ldap/auth]
ldap_pwd_policy = str, None, false
+[provider/ldap/access]
+ldap_access_filter = str, None, false
+
[provider/ldap/chpass]